Cyber and Physical Information Fusion for Infrastructure Protection: A Game-Theoretic Approach

Transcription

1 Cyber and Physical Information Fusion for Infrastructure Protection: A Game-Theoretic Approach Nageswara S V Rao Steve W Poole Chris Y T Ma Fei He Jun Zhuang David K Y Yau Oak Ridge National Laboratory Advanced Digital Sciences Center State University of New York at Buffalo Purdue University Abstract We consider a class of infrastructures composed of discrete components that can be disrupted by either cyber or physical attacks and are protected by cyber and physical reinforcements We formulate a game between the provider and attacker wherein their utility functions are in the form of sum of two terms an infrastructure survival probability term and a cost term We present a novel formulation that accounts for the cyber-physical interactions in two ways: i) the conditional survival probabilities of cyber and physical sub-infrastructures are specified by multiples of marginal probabilities at the structure-level and ii) the survival probabilities of components are determined by cyber and physical component attacks as well as component reinforcements We derive Nash Equilibrium conditions in terms of cost terms and component survival probabilities and obtain provider strategies by combining the cyber and physical parameters We propose sensitivity functions that highlight the dependence of infrastructure survival probability on cost parameters and component probabilities under statistical independence conditions This analysis shows a rather seemingly counter-intuitive qualitative behavior at NE that high costs and lower rewards lead to high infrastructure survival probability We apply this approach to simplified models of cloud computing infrastructures and energy grids both with a large number of components I INTRODUCTION The operation of infrastructures such as smart grids and cloud computing requires the continued functioning of cyber components such as Supervisory Control And Data Acquisition SCADA) systems servers routers and switches and also physical components such as power or fiber routes and cooling and power systems The components may be disabled and/or disconnected by cyber and physical attacks which will degrade the infrastructure performance In response the infrastructure providers are required to adopt strategies that ensure the required levels of operation and availability of both cyber and physical components by taking into account the strategies used by the attacker In this paper we consider a class of infrastructures consisting of discrete cyber and physical components which must be operational as individual units and also be available such as being connected to the network These components are subject to individual attacks in that cyber physical) attacks will disable cyber physical) components that have not been reinforced For example a cyber attack on a server may bring it down or a physical attack on a fiber route of a network may destroy it In addition to these direct impacts there are cyber-physical interactions that make a component unavailable to the infrastructure even though the component by itself is operational that is not disabled For example a physical attack on a fiber connection to a site that houses servers of a cloud computing infrastructure will render them unavailable over the network In addition to these component-level characterization we consider that all cyber components form the cyber subinfrastructure and all physical components form the physical sub-infrastructure The cyber and physical sub-infrastructures can be separately identified and are typically operated by different domain experts For example SCADA systems of a power grid are maintained by operations staff whereas the physical power routes are maintained by power engineering staff A complete disruption of either sub-infrastructure will lead to that of the entire infrastructure and we consider that conditional probability of failure or unavailability of one subinfrastructure given the failure of the other can be estimated as a scalar multiplier which is dervived using the underlying structure We consider infrastructures that consist of a large number of uniform components such as servers and SCADA systems such that the overall performance level of the infrastructure is adequately characterized by the number of components that are operational and available The attacker is expected to launch a certain number of cyber or physical attacks but not both But the provider needs to reinforce certain numbers of both cyber and physical components Thus there is a basic level of asymmetry between them although in some sense the infrastructure appears as a uniform collection of components to both This characterization is coarser than those that account for specific components and is intended for infrastructures with a large number of components such as cloud computing infrastructure with thousands of servers or a power grid with hundreds to thousands of SCADA systems 1 In these systems the sheer number of components makes it much too complex to account for the individual components and it is more manageable to deal in terms of the number of components being attacked or reinforced We focus mainly on the provider who is charged with reinforcing a certain number of cyber and physical components of the infrastructure to defend against the degradations of both kinds which are specified by the number 1 A finer model might require taking into account the specific details of the individual components

2 of components attacked) We consider that a component can be reinforced so that it cannot be disabled by a direct attack but it can be made unavailable as an indirect result of attack on another component as in the case of a server in the cloud computing infrastructure example These infrastructures are characterized by the following considerations: a) b) c) d) knowledge about the capabilities and certain locations of the infrastructure is available to the attacker primarily from public sources; costs incurred by the provider and attacker are private information and not available to the other; strategies used by the provider in choosing which parts to reinforce and by the attacker in choosing which parts to attack are not revealed to the other; results of attacks are known to the provider and attacker These considerations lead to game-theoretic models where information in items a) and d) is available to both defender and attacker and information in items b)-c) is private Both defender and attacker consider that the other utilizes a probabilistic strategy Our objective is to gain a qualitative understanding of the interactions between the provider and attacker by utilizing a simultaneous game model This model is simpler than those used in critical infrastructures such as power distribution transportation and agriculture [3] since it does not model the dynamics of the underlying phenomena for example using partial differential equations to model traffic dynamics We study methods that are designed to ensure the infrastructure survival in presence of cyber and physical degradations within the framework of game theory [4] [7] [8] Such characterizations that address system reliability and robustness aspects using a game-theoretic formulation have been considered recently in several applications [2] for example smart grids [6] cloud computing infrastructures [9] and power systems [5] Our approach is based on the Stackelberg formulation wherein the infrastructure provider chooses options based on instantaneous information and may re-derive the actions as new information becomes available This formulation is more reactive and sensitive to dynamic disruptions compared to long-term strategies used in Markov game models [1] [6] We present a formulation of a game between the provider and attacker wherein their utility functions are in the form of sum of a infrastructure survival probability term and a cost term The infrastructure survival probability accounts for cyber-physical aspects in two ways: i) the conditional survival probabilities of cyber and physical sub-infrastructures are specified by a multiple of marginal probabilities derived at the structure-level and ii) component survival probabilities are derived based on the number of cyber or physical attacks and the number of cyber and physical components reinforced Nash Equilibrium NE) represents the attack and reinforcement actions that optimize the utility of attacker and provider based on their individual information from which neither has a motivation to unilaterally deviate [4] We derive the Nash Equilibrium conditions in terms of cost terms and the component survival probabilities typically expressed in terms of number of cyber and physical attacks and reinforcements The infrastructure provider strategy is derived by combining both cyber and physical parameters We also estimate the partial derivatives that indicate the sensitivities of infrastructure survival probability with respect to cost parameters and conditional success and failure probabilities of components under statistical independence conditions This analysis shows a rather seemingly counter-intuitive qualitative behavior that high costs and lower rewards lead to NE with high infrastructure survival probability We apply this approach to simplified models of cloud computing infrastructures and smart energy grids We first consider cases both cyber and physical components are uniform in Section II-B namely servers and fiber connections for cloud infrastructures and SCADA systems and power lines for power grid Then we consider two different types of cyber components namely servers and routers for cloud infrastructure in Section IV-A and SCADA systems and power meters in the smart grid in Section IV-B In these application scenarios we explicitly derive NE conditions and sensitivity functions In Section II we present our discrete component model for the infrastructure and derive the survival probabilities at the structural- and component-level We present the game theoretic formulation in Section III and derive NE conditions and sensitivity estimates We present applications in Section IV II DISCRETE SYSTEM MODELS We consider that the infrastructure consists of N C cyber components that constitute the cyber sub-infrastructure and N P physical components that constitute the physical subinfrastructure Each cyber and physical component must be operational and available to contribute to the infrastructure operation A component may be unavailable in two ways: it may be operationally disabled or it is operational but disconnected from the infrastructure Typically a component may be disabled by a direct attack and may be disconnected as an indirect effect of an attack on another component In particular a cyber attack may render a physical component unavailable even if it is physically operational for example an attack on a SCADA system might disable power flow on a line And a physical attack on a component might render cyber components unavailable for example fiber cuts to a server site would make all servers unavailable even though they are up and running We capture these cyber-physical interactions using survival probabilities at two levels: i) at the structure-level we utilize the abstractions of cyber and physical sub-infrastructures and ii) at the component-level we consider that cyber attacks affect the availability of physical components and vice versa We consider that the number of components of the system to be large so that we abstract out the individual component differences by using probabilities that capture generic cyber and physical components A Cyber-Physical Structural Interactions The probability that the infrastructure is operational is denoted by P CP At the structure-level the probabilities that

3 the cyber and physical sub-infrastructures are operational are denoted by P C and P P respectively and their failure probabilities are denoted by P C P C and P P P P respectively For the infrastructure to be operational both cyber and physical sub-infrastructures must necessarily be operational and available) and the failure of one in general effects the availability of the other due to component-level cyber-physical interactions The attacker can disable the infrastructure by bringing down either cyber or physical sub-infrastructures Since the costs of attacking individual sub-infrastructures are additive typically there is no particular advantage in attacking both parts simultaneously in our formulation Thus we have P CP [P C + P P P C P ] = P C + P P 1 + P C P 21) The joint probability P C P is expressed in terms of conditional failure probabilities as: P C P = P C P P P and P C P = P P CP C Using the structural properties of infrastructure we utilize cyber and physical multipliers denoted by a C and a P respectively to capture the relative importance of cyber and physical parts The failure probability of cyber sub-infrastructure given that physical sub-infrastructure is disabled is P C P = a C P C For example in a cloud computing infrastructure with 100 servers per site disabling the fiber connection would disconnect all servers at the site which can be reflected by choosing a C 00 Similarly we have P P C = a P P P The cyberphysical multiplier a CP = a C or a CP = a P captures the effects of cyber and physical multipliers respectively which is appropriately chosen based on the details of the infrastructure Condition 21: The probability that infrastructure is operational is expressed in terms of those of cyber and physical sub-infrastructures as P CP = P C+P P P C P = P C +P P 1+a CP 1 P C )1 P P ) where a CP = a C or a CP = a P If a C > 1 the cyber failures are positively correlated to physical failures that is they occur with higher probability following physical failures since P C P > P C If a C < 1 means that cyber failures are negatively correlated to physical failures The special case a C means that the cyber failures are independent of physical failures The conditions on a P are similarly interpreted If a CP > 1 then either cyber failures are positively correlated or physical failures are positively correlated with the other If a CP < 1 then both cyber and physical failures are negatively correlated with the other B Component Survival Probabilities Let p CR and p CN denote the probability of survival of a cyber component with and without reinforcement respectively Under the assumption of statistical independence of component failures the probability that the cyber and physical parts survive the attacks are given by and P C β C P P β P NC x c NP x p ) p xc CR pn C x c CN ) p xp CR pn P x p CN respectively where β C and β P are the corresponding normalization constants Let p R denote the probability that a component is reinforced such that p CR = p C R p R where p C R is the conditional probability that a reinforced component will survive Similarly p N p R is probability that a component is not reinforced and p CN = p N where is the probability that a non-reinforced component will survive We apply normalization by using the probability one event that exactly x c cyber components and x p physical components are reinforced such that ) NC p xc R 1 p R) N C x c = β C and x c NP x p ) p xp R 1 p R) N C x p = β P where p R is specific to cyber and physical components By applying this normalization factor we have the following simpler expression for component survival probabilities: P C = p xc C R pn C x c C N and P P = p xp P R pn P x p P N Condition 22: The component failures are statistically independent such that the survival probabilities of cyber and physical sub-infrastructures are given by P C = p xc C R pn C x c C N and P P = p xp P R pn P x p P N respectively We now describe two simplified illustrative examples for which we can derive estimates for p B R and p B N for B = C P We will expand further on these examples in Section IV by taking additional details into account Example1: Cloud Computing Infrastructure: We consider a simplified model of a cloud computing infrastructure which consists of several sites each of which houses 100 servers The servers constitute cyber components which may be disabled by cyber attacks if not cyber-reinforced The physical fiber connections constitute the physical components of our model and they can be disrupted by physical attacks; reinforcements in this case could be in the form of redundant physically separate fiber runs A physical fiber attack will disconnect all servers at the site from the network making them unavailable We assume that both attacker and provider choose the components according to uniform distribution Thus the probability that a cyber-reinforced component survives the fiber attacks is given by p C R = [y p x p ] + where 0 1 is appropriately chosen and [] + is the non-negative part that is [x] + = x for x > 0 and [x] + = 0 otherwise This estimate reflects that there are a minimum of [y p x p ] + non-reinforced fiber connections and a randomly chosen cyber component is more likely to be disconnected for higher values of [y p x p ] + There is no dependence on y c since a cyber attack will not be able to disable a cyber-reinforced component If the cyber component is not reinforced it will be brought down by a direct cyber attack or indirectly by fiber attack but the latter will have higher impact Thus we use the estimate of survival probability as = 1 + y c + 100[y p x p ] +

4 which reflects the additional lowering of survival probability inversely proportional to the level of cyber attack y c Example 2: Power Grid Infrastructure: We consider a simplified model of a power grid controlled by a cyber) network of SCADA systems where each system controls the power flow on 5 lines The SCADA systems constitute the cyber components and the power lines constitute the physical components A SCADA system may be disabled by cyber means and we assume that that such event will disrupt the power flow on all 5 lines associated with the system By using the reasoning analogous to Example 1 we estimate the survival probability of reinforced power lines that can be disconnected by y c cyber attacks as f P p P R = 1 + 5[y c x c ] + where 0 f P 1 is appropriately chosen Each power line can be directly disrupted by physical means such that it can be brought down if not reinforced and a component is more likely to be unavailable if there are more physical attacks namely higher y p Thus an attack on a SCADA system will have an amplified effect on power lines compared to direct physical attacks such that f P = 1 + y p + 5[y c x c ] + provides an estimate of the probability of survival of a nonreinforced power line III GAME THEORETIC FORMULATION Consider that the provider chooses to reinforce x c cyber components and x p physical components and the attacker attacks y c cyber components and y p physical components The provider s objective is to keep the infrastructure operational and available which involves selecting a number of components to reinforce at certain costs We express the provider utility function as a sum of system probability and cost terms U D = [P CP x c x p y c y p )] C D x c x p ) where represents the reward of keeping the infrastructure available and C D ) represents the cost incurred in reinforcing the components When the component reinforcement costs are uniform we use C D x c x p ) = c CD x c + c P D x p where c CD and c P D are reinforcement costs of cyber and physical components respectively Similarly the attacker s utility function is given by U A = [1 P CP x c x p y c y p )] g A C A y c y p ) where g A represents the reward of disabling the infrastructure and C A ) represents the cost of attacking the components When the attack costs are uniform we use C A y c y p ) = c CA y c + c P A y p where c CA and c P A are the attack costs of cyber and physical components respectively and only one of y c and y p are non-zero A Nash Equilibrium Conditions The Nash Equilibrium conditions are derived by equating the corresponding derivatives to zero which yields U D x a = x a x a = 0 for a = c p for the provider and U A y a = y a g A C A y a = 0 for a = c p for the attacker When uniform component costs are used these conditions are simplified and compactly represented as z a = m B c ab /g B where z = x a = c p B = D and m D correspond to the provider and z = y a = c p B = A and m A = 1 correspond to the attacker We define the cyber-physical differential z c z p = z p z c = C B z p C B z c = θ B x c x p y c y p ) which indicates the relative importance of cyber and physical parts such that z = x and B = D for the provider and z = y and B = A for the attacker When component costs are used we have θ B x c x p y c y p ) = c P B c CB for B = A for the attacker and B = D for the provider which solely depends on component costs We now consider that the effects of reinforcement and attacks on cyber and physical sub-infrastructures can be separated such that most of the interactions are captured at the P P z c component level more precisely 0 and P C z p 0 for z = x y Intuitively these conditions indicate that at the structure-level only direct impacts are dominant for example cyber reinforcements contribute to improving the cyber subinfrastructure but not directly to physical sub-infrastructure Consequently we have for the defender the following condition Condition 31: For P C in Condition 21 we have for the defender B OR Systems [ 1 P P )] P C [ 1 P C )] P P Before we present the general result in the next section we first consider a special case where the probability of simultaneous failures of cyber and physical sub-infrastructures is negligible Consequently the infrastructure will fail if either of the physical or cyber sub-infrastructures fails such that PCP = P C + P P and such infrastructures are called OR Systems In this case the dependence of P CP on system parameters at NE is easier to derive and interpret since it will turn out to be determined entirely by component-level cyber-physical interactions without requiring the structurelevel interactions Condition 32: The probability of simultaneous failures of cyber and physical sub-infrastructures is low P C P 0 such that P CP P C + P P ) = P C + P P 1

5 Under this condition we have a much simpler form of Condition 31 given by P C and P P At NE we have P C P P We now estimate the partial differentials on the left hand side for these terms by using the specific forms P C = p xc C R pn C x c C N and P P = p xp P R pn P x p P N from Condition 22 For this estimation we utilize the following general formula Lemma 31: For fx) = a x b N x we have lna/b)fx) x fx) = Proof: We take ln on both sides of fx) and differentiate them with respect to x Then an algebraic manipulation yields the above formula By applying the above formula from Lemma 31 to P C and P P we obtain the following estimates for the survival probabilities of cyber and physical sub-infrastructures: P P ;D x p y c y p ) = P C;D x c y c y p ) = ) pp R x c ) When component costs are used these will be further simplified to c P D P P ;D x p y c y p ) = ) pp R P C;D x c y c y p ) = c CD ) These estimates provide qualitative information about the sensitivity of survival probabilities of cyber and physical parts in terms of costs and component-level survival probabilities First observation is that these estimates involve only componentlevel probabilities of the same type namely P P ;D and P C;D depend only on the probabilities of physical and cyber components respectively In particular they do not involve structurelevel interactions but the component probabilities capture the cyber-physical interactions since they depend on both cyber and physical component attacks and reinforcements For both cyber and physical parts the survival probabilities are proportional to component costs and inversely proportional to reward terms At a first look this looks counter intuitive but this characterization applies to the set of Nash equilibria and not to system behavior as a whole In part it is an artifact of the multiplicative term in the provider s utility function instead of just being P CP alone Because of the maximization of the additive utility term at NE a higher utility indeed can be achieved at lower P C or P P for a given gain term Qualitatively at NE the partial derivative of P C is directly proportional to the cost and inversely proportional to the reward term But under Lemma 31 the partial derivative is indeed proportional to P C itself with the multiplication term ln ) and hence has the same qualitative behavior as its partial derivative In addition both P P ;D and P C;D depend on the component survival probabilities due to the multiplication term in a qualitatively similar: a) higher survival probability of reinforced component leads to lower infrastructure survival probability and b) higher survival probability of nonreinforced component leads to higher infrastructure survival probability From the provider s perspective qualitative information about the dependence of P CP can be inferred using the estimate P CP ;D x c ) = PCP dx c = c CD x c that utilizes the partial derivative as a linearized approximation of dp C dx c It shows that the system survival probability at NE is inversely proportional to and directly proportional to component cost c CD and level of reinforcement x C C Statistical Independence oyber and Physical Sub- Infrastructures We consider the special case a CP such that P C P = P C or P P C = P P or both such that the cyber subinfrastructure failures are statistically independent of physical sub-infrastructure failures and vice versa Under this condition the survival probabilities of the cyber and physical subinfrastructures are also statistically independent such that At NE we have P CP = P C P P P C P P We now substitute expressions for P C and P P Lemma 31 and obtain the system of equations: P C;D PP :D = P P ;D PC;D = ) pp R x c ) based on Qualitatively at NE the survival probabilities of cyber and physical sub-infrastructures have an inverse relationship but their product is determined by cost terms and component survival probabilities in a manner similar to individual part probabilities P C;D and P P ;D of previous section

6 D NE Sensitivity Functions We now estimate P C and P P under Conditions and 31 to provide qualitative information about their sensitivities to different parameters from the provider s perspective Theorem 31: Under Conditions and 31 for a CP 1 an estimate of the survival probability of physical sub-infrastructure is ˆP P ;D x c y c y p ) = d P D d CD 2 ) ) 2a CP ± 1 2a CP acp ) 2 d P D d CD ) ) + 4a CP d P D and an estimate of the survival probability of cyber subinfrastructure is ˆP C;D x c y c y p ) where = d CD d P D 2 ) ) 2a CP ± 1 2a CP acp ) 2 d CD d P D ) ) + 4a CP d CD d P D x p y c y p ) = d CD x c y c y p ) = ) pp R x c ) Proof: At NE we have and P P P By using the formulae in Condition 31 we have [ 1 P P )] P C [ 1 P C )] P P We now substitute expressions for P C and P P Lemma 31 and obtain the system of equations: Then we have P C [ 1 P P )] = P P [ 1 P C )] = P C P P = d CD d P D ) pp R x c ) based on where we represent d P D x p y c y p ) and d CD x c y c y p ) by simply d P D and d CD respectively By using P C from this equation in P P [ 1 P C )] P P = d P D we obtain the quadratic equation [ ] a CP PP 2 dp D d CD )a CP ) P P d P D = 0 Solution to this equation provides ˆP P ;D x c y c y p ) which in turn yields ˆP C;D x c y c y p ) Compared to the case of OR Systems described in the previous section there is a significant level of cyber-physical interactions in ˆP P ;D x c y c y p ) and ˆP C;D x c y c y p ) which both depend on d P D x p y c y p ) and d CD x c y c y p ) In particular they both are affected by survival probabilities of cyber and physical components each of which in turn depends on the number of both cyber and physical component attacks and reinforcements Also the cyber-physical multiplier a CP affects these quantities in much more complicated manner than its multiplier role in Condition 21 Since 0 P C P 1 we 1 have 0 a CP max{p C P P } which implies a CP can take values both higher and lower than 1 Both ˆP P ;D x c y c y p ) and ˆP C;D x c y c y p ) depend on the difference of components costs as opposed to depending on components of the same type as in the case or OR Systems Furthermore the nature of dependence reverses as a CP crosses 1 reflecting the effects of positive and negative correlations between the cyber and physical parts For a CP < 1 ˆPP ;D and ˆP C;D are directly proportional to cyber and physical component costs respectively and this relationship reverses for a CP > 1 Similarly for a CP < 1 ˆPP ;D and ˆP C;D depend on components of the corresponding type namely physical and cyber component survival probabilities respectively as follows: a) higher survival probability of reinforced component leads to lower sub-infrastructure survival probability and b) higher survival probability of non-reinforced component leads to higher sub-infrastructure survival probability And ˆPP ;D and ˆP C;D depend on components of other type namely cyber and physical component survival probabilities respectively in the opposite way For a CP > 1 the qualitative behavior reverses in the cases above which illustrates the significant impact of the structure-level cyber-physical correlation on the overall behavior of the infrastructure E Survival Probabilities oyber and Physical Sub- Infrastructures It is instructive to compare the two survival probabilities of cyber and physical sub-infrastructuers P C and P P respectively since minimum of the two determines the survival of the infrastructure We have P C P P = d CD d P D Then the relationship between P C and P P is determined as follows: a) d CD > d P D ; a CP > 1: P C = P P a for a 0

7 b) d CD > d P D ; a CP < 1: P C = P P + b for b 0 c) d CD < d P D ; a CP > 1: P C = P P + c for c 0 d) d CD < d P D ; a CP < 1: P C = P P d for d 0 It shows that both relative component costs and cyber-physical multiplier a CP can independently determine which part has the higher probability of survival The difference in the survival probabilities of cyber and physical parts depends on the difference in component costs as expected But the exact nature depends on the 1-crossing point of a CP namely the dependence reverse as the cyber and physical parts are switched from being positively correlated to negatively correlated IV APPLICATION EXAMPLES In this section we incorporate additional details into Examples 1 and 2 described in Section II-B We consider that there are different types of cyber and physical components such that x a c a A C corresponds to cyber components of type a and x b p b A P corresponds to physical components of type b Thus we have x c = x a C and x p = x b p Now we a A C b A P generalize Condition 31 as follows Condition 41: The component failures are statistically independent such that P C = ) x a p a c C R p N C x c C N a A C P P = b A P ) x b p b p P R p N P x p P N By proceedings as in Section II-B we obtain the following conditions using Lemma 31: for a A C b A P P C p a ) C R x a = P C ln c ) P P p b P R x b = P P ln p where p a C R and pb P R denote the probabilities of reinforced cyber component of type a and reinforced physical component of type b respectively These estimates can be used for evaluating ˆP B and P B for B = C P as described in previous sections when there are different types of cyber and physical components The overall conclusions are qualitatively quite similar to the simpler cases of uniform components A Cloud Computing Infrastructure We now consider that in the cloud computing infrastructure of Example 1 all servers at a site are connected via a single gateway router to the network A physical fiber attack will disconnect all servers at the site from the network making them unavailable and a cyber attack on the gateway router will also have the same effect The multiplier a CP would be computed appropriately at the structure-level to reflect it and the component survival probabilities are computed using more detailed formulae derived above Now we separate the cyber components into two classes namely server and routers and x c = x S c + x R c such that x S c and x R c denote the number of reinforced servers and routers respectively Similarly y c = yc S + yc R such that yc S and yc R denote the number of servers and routers attacked respectively Then the cyber component probabilities are computed separately for severs and routers denoted by p S C R and pr C R respectively The probability that a cyber-reinforced server survives fiber or router attacks is given by p S C R = [y p x p ] [y R c x R c ] + which now depends on both physical attacks on fiber and cyber attack on routers Then an estimate of the probability that cyber-reinforced router survives a fiber attack is given by p R C R = 1 + [y p x p ] + since a cyber attack on a reinforced router has no impact and a fiber attack will disconnect only one router If the router is not cyber-reinforced then we have p R C N + [y p x p ] + + yc R By using these estimates for the router we have d R CD = 1 + c CD ) yc R 1+100[y p x p] + which increases in the number of attacks on non-reinforced fiber routes and decreases in the number of cyber router attacks If the cyber component server or router is not reinforced it will be brought down by a direct cyber attack or indirectly by fiber attack but the latter will have more impact However cyber attacks on servers and routers will have different impacts on the availability to the infrastructure namely a server attack will just bring it down but a router attack will make all 100 servers unavailable Thus for server that is not cyber reinforced we use the estimate p S C N + 100[y p x p ] [yc R x R c ] + + yc S which reflects the additional lowering of survival probability inversely proportional to the level of cyber attack yc S and to but amplified by a factor 100 Thus for servers we have y R c d S CD = c CD ) [yR c xr c ]++ys c 1+100[y p x p] + which increases in the number of attacks on non-reinforced fiber connections but decreases in the number of cyber attacks on non-reinforced routers multiplied by 100 and also in the total number of cyber attacks on servers The survival probabilities of physical fiber components depend on x p and y p such that f P p P R = and = f P 1 + [y p x P ] y p which increases in the number of physical attacks but decreases in the number of attacks on non-reinforced fiber components By combining the two formulae for fiber we have c P D d P D = ) 1+[yp x P ] + 1+y p

8 which increases in the number of physical attacks but decreases in the number of attacks on non-reinforced fiber components In addition to d P D and d B CD for B = S R the survival probabilities of cyber and physical sub-infrastructures are determined by the correlation multiplier a CP as described in Section III-E B Smart Grid Infrastructure The power grid model described in Example 2 is enhanced with smart meters on the lines that provide demand information to the generation and distribution control systems The smart meters can be attacked by cyber means so that the demand information can be manipulated for example to make it zero Now we separate the cyber components into two classes namely SCADA systems and smart meters and x c = x S c +x M c such that x S c and x M c denote the number of reinforced SCADA systems and meters respectively Similarly y c = yc S + yc M such that yc S and yc M denote the number of SCADA systems and meters attacked respectively Then the cyber component probabilities are estimated separately for SCADA systems and meters The survival probabilities of the power supply lines with and without reinforcement are denoted by p P R and respectively A SCADA system or a meter may be disabled by cyber means which will disrupt the power flow on the lines so that 1 p P R = 1 + 5[yc S x S c ] + + [yc M x M c ] + for physically-reinforced power lines; notice that cyber attacks on SCADA systems are amplified 5 times compared to attacks on smart meters Each power line can be directly disrupted by physical means such that it can be brought down if not reinforced and thus we have 1 = 1 + [y p x p ] + + 5[yc S x S c ] + + [yc M x M c ] + which reflects the amplified effect of cyber attacks on SCADA systems compared to physical line attacks Combining the two formulae we have d P D = 1 + c P D ) [y p x p] + 1+5[yc S xs c ]++[ym c xm C ]+ which decreases in the number of attacks on non-reinforced power lines and increases in the number of attacks on nonreinforced SCADA systems and non-reinforced meters but the former effect is amplified 5 times The survival probabilities of cyber components are given by p B C R 1 + [yc B x B and p B C N c ] yc B for B = S M Then we have d B CD = c P D ) 1+yc B 1+[yc B xb c ]+ for B = S M which decreases in the total number of cyber attacks but increases in the number of attacks on nonreinforced cyber attacks The net effect of the numbers of attacks and reinforcements on the survival probabilities of cyber and physical sub-infrastructures is also determined by correlation multiplier a CP in addition to d P D and d B P D for B = S M as described in Section III-E V CONCLUSIONS We studied a class of infrastructures composed of a large number of discrete components that can be disrupted by either cyber or physical attacks and are protected by cyber and physical reinforcements Using a game-theoretic formulation we capture the cyber-physical interactions in two ways: conditional survival probabilities of cyber and physical sub-infrastructures at the structure-level and the survival probabilities of components determined by the number of cyber and physical component attacks and reinforcements We derived Nash Equilibrium conditions in terms of cost terms and component survival probabilities and estimated the sensitivity functions that indicate the dependence of infrastructure survival probability on cost parameters component probabilities and the correlation multipliers of cyber and physical subinfrastructures We applied this approach to models of cloud computing infrastructures and energy grids at different levels of abstraction when both have a large number of components This formulation could be extended in several ways in future studies It would be interesting to study sequential game formulations of this problem and cases where different levels of knowledge are available to each party Applications of our approach to more detailed models of cloud computing infrastructure smart energy grid infrastructures and highperformance computing complexes would be of future interest Acknowledgments This work is funded by the Mathematics oomplex Distributed Interconnected Systems Program Office of Advanced Computing Research US Department of Energy and by Extreme Scale Systems Center sponsored by U S Department of Defense and performed at Oak Ridge National Laboratory managed by UT-Battelle LLC for US Department of Energy under Contract No DE-AC05-00OR22725 REFERENCES [1] T Alpcan and T Basar Network Security: A Decision and Game Theoretic Approach Cambridge University Press 2011 [2] V M Bier and M N Azaiez editors Game Theoretic Risk Analysis of Security Threats Springer 2009 [3] G Brown M Carlyle J Salmern and K Wood Defending critical infrastructure Interfaces 366): [4] D Fudenberg and J Tirole Game Theory MIT Press 2003 [5] C Y T Ma D K Y Yau and N S V Rao Markov game analysis for attack-defense of power networks under possible misinformation IEEE Transactions on Power Systems 2013 in press [6] C Y T Ma D K Y Yau and N S V Rao Scalable solutions of Markov games for smart-grid infrastructure protection IEEE Transactions on Smart Grid 14) 2013 [7] R B Myerson Game Theory: Analysis oonflict Harvard University Press 1991 [8] N Nisan T Roughgarden E Tardos and V V Vazirani editors Algorithmic Game Theory Cambridge University Press 2007 [9] N S V Rao D K Y Yau and C Y T Ma On robustness of cyberphysical network infrastructure In Workshop on Design Modeling and Evaluation oyber Physical Systems 2011